Timestamp Authority CVE-2026-49835
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-accessible service, no auth required; AC:H because memory exhaustion demands sustained high-volume unique requests; pure availability impact with no scope change.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionGitHub Advisory
Impact
An unauthenticated remote attacker can trigger unbounded memory growth on the timestamp authority server.
This vulnerability exists because the global wrapMetrics middleware records the raw HTTP request path (r.URL.Path) and raw HTTP request method (r.Method) as Prometheus labels for latency and request count metric vectors. Since this middleware runs before standard routing occurs, it executes for all incoming requests, including those for unmatched paths (yielding 404 responses) or arbitrary request methods. The Prometheus library registers a new, permanent time-series entry for every distinct label combination. An attacker can continuously issue requests containing random paths (e.g., /api/v1/timestamp/<uuid>) or random HTTP methods to exhaust system memory.
Patches
This issue has been patched by limiting the metric label values to a strict allowlist of expected paths (/ping, /api/v1/timestamp, /api/v1/timestamp/certchain) and expected HTTP methods (GET, POST, HEAD, OPTIONS). Unrecognized paths or methods are normalized to a static string ("unrecognized").
Users should update to version v2.0.7 or later.
Workarounds
- Block or drop incoming requests with invalid HTTP methods or unknown request paths at a reverse proxy or load balancer before they reach the timestamp authority server.
- Configure rate-limiting on the public interface to prevent remote attackers from issuing millions of unique requests in a short duration.
AnalysisAI
Unbounded memory exhaustion in Sigstore's timestamp-authority server allows any unauthenticated remote attacker to crash or degrade the service by flooding it with high-cardinality HTTP requests. The root cause is the global wrapMetrics Prometheus middleware, which permanently registers a new time-series entry for every unique combination of raw request path and HTTP method it observes - including requests for unmatched paths that return 404 - causing heap memory to grow without bound under attacker-controlled input. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The timestamp-authority HTTP server must be reachable over the network by the attacker - no special configuration is required to enable the vulnerability, as the `wrapMetrics` middleware is active by default and runs for all incoming requests. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.9 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H correctly identifies this as a network-accessible, unauthenticated availability threat with elevated attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a publicly reachable Sigstore timestamp-authority HTTPS endpoint and scripts a high-throughput request loop that generates UUID-suffixed paths such as `/api/v1/timestamp/8f3a2c1d-...` with each iteration. Each unique path causes the `wrapMetrics` middleware to permanently allocate a new Prometheus time-series object in the server's heap; sustained over minutes to hours, the process exhausts available RAM, triggering an out-of-memory kill or severe degradation that prevents legitimate timestamp requests from completing. … |
| Remediation | The primary remediation is to upgrade the timestamp-authority server to v2.0.7 or later, as documented in the vendor advisory at https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-9c54-x2g4-v92j. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9c54-x2g4-v92j